[Samba] Running SQL Server xp_logininfo with Samba PDC

Jason lst-samba at jupiterone.net
Sun Nov 3 20:14:14 MST 2013 

We have setup Samba 4.1 as a PDC.  We have successfully connected several
Windows 2008 Servers to the domain and created various users/groups.
 During an application installation on the Windows server, it runs the
command in SQL server:

master..xp_logininfo 'MYDOMAIN\useraccount'

SQLserver is running as a service user created on the domain (here called
MYDOMAIN)

This returns:

Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
Could not obtain information about Windows NT group/user
'DOMAIN\useraccount', error code 0x5.

In the security log on windows it has:

An account failed to log on.

Subject:
Security ID: MYDOMAIN\SQLService
Account Name: SQLService
Account Domain:       MYDOMAIN
Logon ID: 0x1063d

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006e
Sub Status: 0xc000006e

Process Information:
Caller Process ID: 0x52c
Caller Process Name: C:\Program Files\Microsoft SQL
Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe


In the Samba Log on the PDC it gives the following messages:

[2013/11/04 14:05:12.684946,  4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Mon Nov  4 14:05:18 2013 EST
[2013/11/04 14:05:17.693823,  4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Mon Nov  4 14:05:23 2013 EST
[2013/11/04 14:05:17.839450,  3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2013/11/04 14:05:17.840862,  5]
../auth/gensec/gensec_start.c:649(gensec_start_mech)
  Starting GENSEC mechanism schannel
[2013/11/04 14:05:17.887505,  3]
../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SERVERNAME
[2013/11/04 14:05:17.927963,  3]
../source4/rpc_server/dcerpc_server.c:963(dcesrv_request)
  Warning: 60 extra bytes in incoming RPC request
[2013/11/04 14:05:17.945518,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ SQLService at AD.MYDOMAIN.COM.AU from ipv4:
172.17.1.20:61630 for
SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU[canonicalize,
renewable, forwardable]
[2013/11/04 14:05:17.956953,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: s4u2self SQLService at AD.MYDOMAIN.COM.AU impersonating
sodadm at MYDOMAIN to service SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
[2013/11/04 14:05:17.957371,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Principal may not act as server -- SQLService\@
AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
[2013/11/04 14:05:17.972537,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:172.17.1.20:61630
[2013/11/04 14:05:17.990408,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2013/11/04 14:05:17.990922,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /opt/samba4/private/smbd.tmp/msg/msg.1370.34
[2013/11/04 14:05:17.991117,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2013/11/04 14:05:18.136571,  5]
../source4/winbind/wb_irpc.c:144(wb_irpc_get_idmap)
  wb_irpc_get_idmap called
[2013/11/04 14:05:18.136706,  5]
../source4/winbind/wb_sids2xids.c:43(wb_sids2xids_send)
  wb_sids2xids_send called
[2013/11/04 14:05:18.161368,  5]
../source4/winbind/wb_irpc.c:176(wb_irpc_get_idmap_callback)
  wb_irpc_get_idmap_callback called
[2013/11/04 14:05:18.161647,  5]
../source4/winbind/wb_sids2xids.c:83(wb_sids2xids_recv)
  wb_sids2xids_recv called
[2013/11/04 14:05:18.198764,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'


Our smb.conf is currently:

# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = AD.MYDOMAIN.COM.AU
        netbios name = GATEWAY
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        interfaces = eth1 lo
        log level = 5
        bind interfaces only = yes

[netlogon]
        path = /opt/samba4/var/locks/sysvol/ad.mydomain.com.au/scripts
        read only = No

[sysvol]
        path = /opt/samba4/var/locks/sysvol
        read only = No

I have replicated the exact same application installation using a Windows
Server PDC and it worked successfully.

Does anyone have any suggestions on things I can try?

Regards,

Jason

More information about the samba mailing list